US20150006913A1 - High speed cryptographic combining system, and method for programmable logic devices - Google Patents
High speed cryptographic combining system, and method for programmable logic devices Download PDFInfo
- Publication number
- US20150006913A1 US20150006913A1 US13/931,585 US201313931585A US2015006913A1 US 20150006913 A1 US20150006913 A1 US 20150006913A1 US 201313931585 A US201313931585 A US 201313931585A US 2015006913 A1 US2015006913 A1 US 2015006913A1
- Authority
- US
- United States
- Prior art keywords
- lut
- cryptographic
- output
- value
- input
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/76—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/75—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
- G06F21/755—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
Definitions
- the present invention relates generally to cryptographic systems. More particularly, it relates to systems and methods for realizing efficient combining of binary data at high speed to support various cryptographic processes.
- this invention can be used for, e.g., but is not limited to, mitigating side channel information leakage that enables recovery of secret data via means such as differential power analysis (DPA).
- DPA differential power analysis
- DPA differential power analysis
- Conventional cryptographic methods process secret key data and input information data generally by, e.g., but not limited to, 8-bit bytes (sometimes 16-bit di-bytes, and seldom beyond 32-bit quad-bytes) within a given algorithmic step.
- the two groups of 16-byte quantities may be combined by combining byte 1 of the key and byte 1 of the information, byte 2 of the key and byte 2 of the information, etc.
- Cryptographic processing methods implement such algorithms by combining these byte pairs across one or more clock cycles of the processor and storing intermediate values in processor registers awaiting another round of combination.
- the power consumption during these writes to registers are a prime source of information leakage.
- Conventional solutions have attempted to mask such power usage through various mitigation algorithms. Some conventional solutions remain vulnerable to such attacks.
- Conventional security applications generally employ an integrated circuit (IC) on which may be embedded a secret value, or may employ a random number generator to derive one or more secret values.
- IC integrated circuit
- secret values whose bit lengths can range in size from roughly 64 to 2048 bits, and more, are used in cryptographic processes to realize security services such as, e.g., but not limited to, proof of identity, authentication, or data encryption.
- Various signals conventionally emanate from the IC-based device as the device carries out cryptographic operations, whereby the signals may leak information about those secret values. In some instances, the signals can provide sufficient information to enable derivation of the core secret value(s), e.g. cryptographic keying material, used in the cryptographic process.
- DPA is a well-known, proven and powerful technique for an adversary to extract such device secrets from the device power consumption side channel.
- Instantaneous power consumption of a device referred to as a side-channel, leaks information about the values being processed by the device primarily when such values are written to, or read from, the device's registers. These register reads and writes take place at regular processor clock cycles of the device. Thus whenever the secret values are used in logic operations, and inputs or outputs of these logic operations are written to, or read from, the registers, information about the values being written, or read, is leaked by the device power consumption at that cycle.
- an apparatus, system, and method may minimize side channel leakage.
- An exemplary system or method discloses an efficient technique for realizing cryptographic combining operations that minimize side channel signal leakage.
- an exemplary system or method may simultaneously mix an entire key with, e.g., but not limited to, additional deterministic but changing data in a single clock cycle, to create a continually changing effective encryption key so as to avoid providing multiple looks at the effective key conventionally employed for encryption, a shortcoming of conventional solutions.
- a system or method may include a cryptographic combining operation, according to an exemplary embodiment, accomplished by use of a modern electronic processor with dedicated computational circuits in hardware such as, e.g., but not limited to, programmable logic devices (PLDs), which according to an exemplary embodiment may include, e.g., but not limited to, field programmable gate arrays (FPGAs), or application specific integrated circuits (ASICs), etc., which may be ideal for realizing any sort of combining function.
- PLDs programmable logic devices
- FPGAs field programmable gate arrays
- ASICs application specific integrated circuits
- An exemplary embodiment of the present invention may include an exemplary hardware based mitigation technique.
- an exemplary apparatus, system, or method may be provided that may perform an exemplary method for realizing cryptographic combining operations in a manner that may minimize side channel power information loss.
- An exemplary embodiment of the claimed method may minimize side channel leakage by performing all of the combining operations of the exemplary method on a large component of, or a substantial portion of, the input value, even all of the input value, according to an exemplary embodiment, and the combined result may be stored to a register, advantageously, within an exemplary single processor clock cycle, according to an exemplary embodiment.
- an apparatus, system and/or method may include, e.g., but not limited to, receiving, by at least one cryptographic combiner device, at least one large bit length input value; and transforming, by the at least one cryptographic combiner device, the at least one large bit length input value into at least one output value, wherein the transforming may include transforming, by the at least one cryptographic combiner device, the at least one large bit length input value into the at least one output value within a single clock cycle.
- the method may include where the at least one cryptographic combiner device may include at least a portion of: at least one programmable logic device (PLD).
- PLD programmable logic device
- the method may include where the at least one PLD may include at least one of: at least one field programmable gate array (FPGA); at least one application specific integrated circuit (ASIC); at least one programmable logic array (PLA); at least one programmable read only memory (PROM); at least one erasable programmable read only memory (EPROM); at least one electrically erasable programmable read only memory (EEPROM); at least one programmable array logic (PAL); at least one generic array logic (GAL); at least one programmable electrically erasable logic (PEEL); at least one semiconductor intellectual property core (IP core); or at least one complex programmable logic device (CPLD).
- FPGA field programmable gate array
- ASIC application specific integrated circuit
- PLD programmable logic array
- PROM programmable read only memory
- EPROM erasable programmable read only memory
- EEPROM electrically erasable programmable read only memory
- PAL programmable array logic
- GAL generic array logic
- PEEL
- the method may include where the transforming is performed on an entirety of the large bit length input value.
- the method may include where the cryptographic combiner device may include: at least one bank of at least one look-up-table (LUT), each the at least one LUT receiving as input a plurality of single bit input values, and providing as output at least one output bit, wherein when the cryptographic combiner device may include a plurality of banks of the at least one LUT, the at least one output bit from a first of the plurality of banks is wired to feed into the input of the at least one LUT of a second of the plurality of banks, and wherein a total number of banks of the at least one LUTs is any number so long as the large bit length input reaches an output of the last bank of the plurality of banks, to produce the at least one output value, within a single clock cycle.
- LUT look-up-table
- the method may include where the performing may include: performing the transforming on the plurality of banks of the at least one look-up-table (LUT), wherein the at least one LUT may include at least one of: a small LUT; a programmable LUT; or an n-bit input to x-bit output LUT.
- LUT look-up-table
- the method may include where the at least one LUT may include an n-bit input to x-bit output LUT, and wherein the n-bit input LUT may include an at least six (6)-bit input LUT, and the x-bit output LUT may include an at least one (1)-bit output LUT.
- the method may include where each of the m banks is adapted to operate in parallel and with sufficient efficiency may include at least one of: that computing the at least one output value, processing to obtain the at least one output value, or feeding through all the m banks to obtain the at least one output value within the single clock cycle.
- the method may include where the coupling may include programmably wiring the at least one output from the given bank j to feed to the at least one of the T(j+1)*n inputs of the next bank j+1.
- the method may include where the at least one LUT may include the n-bit input to x-bit output LUT, and wherein signals propagate through all the m plurality banks within the single clock cycle.
- the method may include where the coupling may include at least one inter-bank coupling.
- the method may further include altering the at least one interbank coupling or at least one parameter of the at least one LUT to achieve a plurality of cryptographic functions.
- the method may further include at least one of: wherein the altering may include programmably altering the at least one interbank coupling or the at least one parameter of the at least one LUT; wherein the at least one interbank coupling may include at least one changeable coupling; wherein the altering may include dynamically altering the at least one interbank coupling or the at least one parameter of the at least one LUT; wherein the altering may include altering dynamically during use; or wherein the altering may include altering dynamically over time, during use.
- the method may include where transforming may include: combining at least one fixed secret value with at least one time varying input value may include transforming the at least one fixed secret value into at least one second time varying secret value.
- the method may include where the transforming may include: using the at least one second time varying secret value in at least one subsequent cryptographic processing wherein a secret value is required.
- the method may include where the cryptographic combiner device may include: the portion of the at least one PLD, wherein the receiving the large bit length input value and the transforming the large bit length input value into the output value on the PLD may include: performing a full transformation on an entire input within the single PLD clock cycle by using at least one programmable LUT in fabric of the PLD.
- the method may include where the input value constitutes at least one fixed secret value and at least one time varying quantity so as to obscure the at least one fixed secret value and minimizing side channel information leakage about the at least one fixed secret.
- the method may include where the input value constitutes at least one secret and at least one time varying quantity, wherein when combined obscures the at least one secret, and minimizes side channel information leakage as could be used to detect the at least one secret.
- the method may include where the PLD may include at least one of: at least one application specific integrated circuit (ASIC); at least one programmable logic array (PLA); at least one programmable array logic (PAL); at least one programmable read only memory (PROM); at least one erasable programmable read only memory (EPROM); at least one electrically erasable programmable read only memory (EEPROM); at least one generic array logic (GAL); at least one programmable electrically erasable logic (PEEL); at least one semiconductor intellectual property core (IP core); at least one intellectual property core (IP core); at least one photonic processor; or at least one complex programmable logic device (CPLD).
- ASIC application specific integrated circuit
- PLA programmable logic array
- PAL programmable array logic
- PROM programmable read only memory
- EPROM erasable programmable read only memory
- EEPROM electrically erasable programmable read only memory
- GAL generic array logic
- PEEL programmable electrically erasable logic
- the method may include where the time varying secret value is used as a key for at least one of: an encryption function, or a keyed message authentication code (MAC) function.
- MAC keyed message authentication code
- the method may include where the time varying secret value may include the key to the advanced encryption standard (AES).
- AES advanced encryption standard
- the method may include where the time varying secret value is used as a pseudo-random bit stream for a cryptographic application.
- the method may include where the time varying secret value is used as the pseudo-random bit stream for the cryptographic application, to perform an XOR operation over an input data stream as a stream cipher.
- an exemplary system may include, e.g., but not limited to, a cryptographic device may include: at least one cryptographic combiner adapted to receive at least one large bit length input value; and wherein the at least one cryptographic combiner is adapted to transform the at least one large bit length input value into at least one output value, and wherein the at least one cryptographic combiner is adapted to transform the at least one large bit length input value into the at least one output value within a single clock cycle.
- the exemplary system may include where the cryptographic device further may include: at least one key cryptographic function may include at least one input coupled to at least one output of the at least one cryptographic combiner.
- the exemplary system may include where the at least one key cryptographic function may include an advanced encryption standard (AES) key cryptographic function.
- AES advanced encryption standard
- the exemplary system may include where the at least one large bit length input value may include at least one output of at least one processor.
- the exemplary system may include where the at least one cryptographic combiner may include at least a portion of: at least one programmable logic device (PLD).
- PLD programmable logic device
- the exemplary system may include where the at least one PLD may include at least one of: at least one field programmable gate array (FPGA); at least one application specific integrated circuit (ASIC); at least one programmable logic array (PLA); at least one programmable read only memory (PROM); at least one erasable programmable read only memory (EPROM); at least one electrically erasable programmable read only memory (EEPROM); at least one programmable array logic (PAL); at least one generic array logic (GAL); at least one programmable electrically erasable logic (PEEL); at least one semiconductor intellectual property core (IP core); or at least one complex programmable logic device (CPLD).
- FPGA field programmable gate array
- ASIC application specific integrated circuit
- PLD programmable logic array
- PROM programmable read only memory
- EPROM erasable programmable read only memory
- EEPROM electrically erasable programmable read only memory
- PAL programmable array logic
- GAL generic array logic
- FIG. 1 depicts an exemplary view of an exemplary application of the present invention for exemplary purpose of mitigating side-channel information leakage on an exemplary key cryptographic function using an exemplary cryptographic combiner, according to an exemplary embodiment
- FIG. 2 depicts an exemplary embodiment of an exemplary cryptographic combiner operation or mix function, according to an exemplary embodiment
- FIG. 3 depicts an exemplary embodiment of an exemplary cryptographic combiner or mix function, according to an exemplary embodiment.
- an improved hardware based mitigation technique may be provided that seeks to minimize a time window to a single clock cycle during which a massive number of secret data bits may be combined with other input data.
- the present invention adds to cryptographic combining by providing a very high speed method to realize thorough combining of large bit-length input quantities, according to an exemplary embodiment.
- processing of the entire large bit-length input quantity via a cryptographic combining operation may occur within a single clock cycle, so as to minimize or eliminate conventional exposure of secret information by conventional sub-portion processing.
- FIG. 1 depicts an exemplary diagram 100 of an exemplary embodiment of an exemplary cryptographic device 108 , which may be coupled to a processor 102 , and may receive from processor 102 , an exemplary input one 104 , an exemplary input two 110 , and/or any additional inputs K 112 , as well as exemplary data (D) 106 , according to an exemplary embodiment.
- input one 104 may be provided from processor 102 to a cryptographic combiner 114 of the cryptographic device 108 .
- data D 106 may be provided to a key cryptographic function 120 , as illustrated.
- exemplary cryptographic device 108 may include, in an exemplary embodiment, input two 110 , and/or up to an input k 112 (where k is a finite integer number), which may be coupled to an exemplary cryptographic combiner function 114 .
- cryptographic combiner 114 may receive as inputs, values of input one 104 , input two 110 , and/or up to input k 112 .
- cryptographic combiner 114 may combine inputs 104 , 110 , and/or 112 , etc., and may provide an intermediate value, or an output 116 , to an exemplary key cryptographic function 120 , according to an exemplary embodiment.
- Exemplary cryptographic combiner 114 may receive various inputs, such as, e.g., but not limited to, up to input k 112 , input two 110 , and/or input one 104 , and may combine and/or mix all inputs in one clock cycle to provide output 116 of cryptographic combiner 114 to provide as input in turn to an exemplary key cryptographic function 120 , according to an exemplary embodiment.
- Key cryptographic function 120 may also receive as exemplary input, as illustrated in the exemplary embodiment, data D 106 .
- the key cryptographic function 120 may then encrypt data 106 using an exemplary cryptographic function, such as, e.g., but not be limited to, an exemplary advanced encryption standard (AES) encryption key function using, e.g., but not limited to, an exemplary multiple-bit key such as, e.g., but not limited to, an exemplary 256 bit key, etc., according to an exemplary embodiment.
- an exemplary cryptographic function such as, e.g., but not be limited to, an exemplary advanced encryption standard (AES) encryption key function using, e.g., but not limited to, an exemplary multiple-bit key such as, e.g., but not limited to, an exemplary 256 bit key, etc., according to an exemplary embodiment.
- AES advanced encryption standard
- Exemplary key cryptographic function 120 may alternatively include any other well known cryptographic function, including, e.g., but not limited to, an exemplary data encryption standard (DES) function, and/or an exemplary Triple DES (3DES) function (which may include, e.g., but not limited to, an exemplary key bundle of three exemplary keys), and/or an exemplary blowfish function (e.g., but not limited to, a keyed symmetric block cipher), and/or an exemplary keyed cryptographic hash function, and/or an exemplary keyed message authentication code (MAC) function, and/or algorithm, and/or an exemplary but not limiting stream cipher, etc., according to an exemplary embodiment.
- Key cryptographic function 120 may encrypt using an exemplary AES-standard compliant encryption function 120 the received data D 106 and the encrypted data may be written as illustrated to an exemplary register and/or memory 122 , according to an exemplary embodiment.
- FIG. 2 depicts an exemplary diagram 200 of at least a portion of an exemplary cryptographic device 108 , which may include an exemplary cryptographic combiner 114 .
- the exemplary cryptographic combiner 114 may combine input one 104 , with input two 110 and/or up to input k 112 , to produce output 116 (not labeled) to feed into key cryptographic function 120 .
- This cryptographic combiner device 114 may include, as illustrated, in an exemplary embodiment, an exemplary (n*T)-bit input device, wherein n may include, e.g., but may not be limited to, 2, 3, 4, 5, 6, 7, 8, or more, etc., including, e.g., but not limited to, a plurality of look up tables (LUTs) 202 a - 202 l , wherein each LUT may have n inputs, and the device may have m banks of Ti LUTs each, with exemplary T1 LUTs in bank 1, exemplary T2 LUTs in bank 2, and exemplary up to Tm LUTs in bank m, where according to an exemplary embodiment, the sum T1+T2+ . . .
- LUTs look up tables
- +Tm LUTs may be designed or adapted to complete processing of exemplary program logic such as, e.g., but not limited to, combining any combination of inputs 104 , 110 , and/or up to k 112 , and/or other additional program logic such as, e.g., but not limited to, key cryptographic function 120 , and may perform the program logic, advantageously, in one clock cycle 206 , as illustrated, according to one exemplary embodiment.
- exemplary program logic such as, e.g., but not limited to, combining any combination of inputs 104 , 110 , and/or up to k 112 , and/or other additional program logic such as, e.g., but not limited to, key cryptographic function 120 , and may perform the program logic, advantageously, in one clock cycle 206 , as illustrated, according to one exemplary embodiment.
- one bank BK 1 may include LUT 1 202 a , LUT 2 202 b , LUT 3 202 c , and/or any others up until LUT T1 202 d , wherein each LUT 202 a , 202 b , 202 c , and 202 d , has an exemplary one output O1, O2, O3, and OT1, respectively.
- bank 2 BK2 may include LUT 1 202 e , LUT 2 202 f , LUT 3 202 g , and/or any others up until LUT T2 202 h , also having outputs O1-OT2, respectively.
- bank m BK m may include LUTs, LUT 1 202 i , LUT 2 202 j , LUT 3 202 k , and/or any others up until LUT Tm 202 l , wherein each LUT 202 i - 202 l may have an exemplary output O1-OTm, respectively.
- interbank wiring 204 may couple any of the LUTs 202 a - 202 l (collectively 202 ) to one another to perform logical operations in the programmable logic device (PLD).
- PLD programmable logic device
- the output of cryptographic combiner 114 may then be provided as input to exemplary key cryptographic function 120 (which may include a register to which the combined value may be written, according to an exemplary embodiment), and/or may be written to a separate register and/or memory 122 as illustrated, according to an exemplary embodiment.
- Decryption may include use of one or more exclusive OR (XOR) functions to obtain the data 106 that originally was encrypted by the cryptographic device 108 .
- XOR exclusive OR
- the cryptographic combiner or mix function 114 and/or key cryptographic function 120 may be created using an exemplary programmable logic device (PLD) such as, e.g., but not limited to, a programmable array logic (PAL) device, a complex programmable logic device (CPLD), a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), a photonic processor, and/or an intellectual property core (IP core), etc., in various exemplary embodiments.
- PLD programmable logic device
- PAL programmable array logic
- CPLD complex programmable logic device
- FPGA field programmable gate array
- ASIC application specific integrated circuit
- IP core intellectual property core
- PLDs Programmable Logic Devices
- PLDs may include, among other devices:
- IP core Intellectual Property Core
- IP core typically IP cores may be used as a logic block within, or as part of an ASIC and/or FPGA.
- FIG. 3 depicts diagram 300 illustrating an exemplary cryptographic combiner 114 of an exemplary cryptographic device 108 coupled to one and/or more inputs 104 , 110 , and/or up to 112 , and providing one or more outputs O1, O2, O3, . . . , OT 304 to key cryptographic function 120 and/or register/memory 122 , according to an exemplary embodiment.
- any of the LUTs 302 a , 302 b , 302 c , 302 d , 302 e , 302 f , 302 g , 302 h , 302 i , 302 j , 302 k and 302 l may include exemplary 6 input by 1 output LUTs 302 , with up to an exemplary 100 s to 10,000 s of LUTs 302 per bank and an exemplary three (3) banks of LUTs 302 , and as illustrated with an exemplary, but not limited to, same number T of LUTs 302 per bank, as compared to exemplary possible variable number of LUTs 202 per bank, as illustrated in FIG.
- key cryptographic function 120 may also be implemented using the same programmable logic device as used to implement the cryptographic combiner 114 .
- the cryptographic combiner and/or key cryptographic function 120 may perform its or their logical processing within an exemplary single clock cycle, according to an exemplary embodiment.
- An exemplary digital system may comprise an exemplary processor device which may execute one or more applications that may reside in off-processor non-volatile memory or storage or that may use off-processor volatile memory for storing application code and/or data.
- application code and/or data may have high intrinsic value and may require encryption before storage in the exemplary off-device volatile and/or non-volatile memory to prevent piracy, Intellectual Property (IP) theft and/or reverse engineering, according to an exemplary embodiment.
- IP Intellectual Property
- Such encryption can be realized by an exemplary, but nonlimiting encryption algorithm, which may be implemented within, e.g., but not limited to, device fabric, etc.
- the exemplary cryptographic combiner 114 may provide an additional line of defense and may enable one to address such side-channel or other cryptanalytic threats.
- An exemplary fixed secret value such as an exemplary input 104 may be continuously modified, according to an exemplary embodiment, by combining with other exemplary input parameters such as other inputs 110 , 112 producing an exemplary varying encryption key output 116 of the cryptographic combiner 114 , according to exemplary embodiment of the present invention.
- An exemplary embodiment may present a fluid, changing, target to an attacker and may significantly increase the difficulty of applying existing, conventional cryptanalytic techniques to detect the exemplary secret value.
- mixing and/or combining the exemplary entire fixed secret with exemplary time varying quantities within a single clock cycle prevents the attacker from gaining useful information about pieces of the fixed secret, a necessary requirement of side-channel attacks.
- the exemplary data encryption key output 116 , of the cryptographic combiner 114 is continuously time varying, any side-channel attacks applied to the key cryptographic function encryption algorithm 120 to attempt to recover the encryption key 116 , are stymied.
- the exemplary cryptographic combiner 114 is extremely flexible.
- Exemplary look-up-tables (LUTs) 202 are each individually programmable.
- the inter-LUT wiring 204 may also be individually programmable at the designer's discretion. These two parameters, the LUTs 202 , and inter-LUT wiring 204 enable many and varied functions to be realized, transforming the various exemplary inputs 104 , 110 , and/or 112 , etc. into an exemplary output 116 of the exemplary cryptographic combiner 114 , according to an exemplary embodiment.
- Certain exemplary embodiments of the cryptographic device 108 may be hard to cryptographically reverse, that is, e.g., but not limited to, if one were to see the exemplary output 116 of the cryptographic combiner function 114 and only certain of the inputs, such as, e.g., but not limited to, 112 and 110 , then one could not easily determine the remaining input 104 , for example, according to an exemplary embodiment of the invention. Additionally, in certain exemplary embodiments, one could not predict the output 116 of exemplary cryptographic combiner 114 , without knowing all of the input values 104 , 110 , and up to 112 .
- requiring an exemplary stream cipher one may require an exemplary secret pseudo-random bit stream to encrypt an exemplary incoming data stream via, e.g., but not limited to, an exemplary bit-wise exclusive-or (XOR) logic addition operation.
- This exemplary secret pseudo-random bit stream may be generated, according to an exemplary embodiment, by transforming an exemplary secret key repeatedly in some exemplary time-varying way that may be hard to reverse and such that the time-varying output is hard to predict.
- input 104 may be the exemplary secret key shared only between the sender and recipient of the exemplary encrypted data D 106 .
- Input 110 could be an exemplary counter or other publicly know time varying value, according to an exemplary embodiment.
- Output 116 may be the exemplary secret pseudo-random bit-stream used to XOR over the data D 106 , in an exemplary embodiment.
- references to “one embodiment,” “an embodiment,” “example embodiment,” “various embodiments,” etc. may indicate that the embodiment(s) of the invention so described may include a particular feature, structure, or characteristic, but not every embodiment necessarily includes the particular feature, structure, or characteristic. Further, repeated use of the phrase “in one embodiment,” or “in an exemplary embodiment,” do not necessarily refer to the same embodiment, although they may.
- Coupled may mean that two or more elements are in direct physical or electrical contact. However, “coupled” may also mean that two or more elements are not in direct contact with each other, and/or are indirectly connected to one another, but yet still co-operate or interact with each other.
- An algorithm is here, and generally, considered to be a self-consistent sequence of acts or operations leading to a desired result. These include physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers or the like. It should be understood, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities.
- processor may refer to any device or portion of a device, or logic device, that processes electronic data, and/or data from registers and/or memory to transform that electronic data into other electronic data that may be stored in registers and/or memory.
- a “platform” may comprise one or more processors.
- Embodiments of the present invention may include apparatuses or systems for performing the logical operations herein.
- An apparatus may be specially constructed for the desired purposes, or it may comprise a general purpose device selectively activated or reconfigured by a program stored in the device.
- the invention may be implemented primarily in hardware using, for example, but not limited to, hardware components such as application specific integrated circuits (ASICs), or one or more state machines, etc.
- ASICs application specific integrated circuits
- state machines etc.
- the invention may be implemented primarily in firmware.
Abstract
Description
- 1. Field of the Invention
- The present invention relates generally to cryptographic systems. More particularly, it relates to systems and methods for realizing efficient combining of binary data at high speed to support various cryptographic processes. In particular this invention can be used for, e.g., but is not limited to, mitigating side channel information leakage that enables recovery of secret data via means such as differential power analysis (DPA).
- 2. Related Art
- To carry out cryptographic computations, whether for encrypting data for confidentiality, signing data for proof of origin certification, or hashing data for authenticity certification, one may use methods for realizing deterministic combining functions that take two or more input values, each of various bit lengths, and produce an output value of some determinate bit length. For security these functions are often very complex. Conventional methods for realizing very complex combining functions as required for cryptographic computations call for building up complexity by splitting input quantities into small packets such as, e.g., but not limited to, 8-bit bytes, 16-bit di-bytes, etc., and then in parallel across the processor real estate, or serially in time combining these packets of the input via and/or/nor gates and registering intermediate results to await further processing in time.
- There is a constant tension between first, complexity of the combining function necessary for good security, and second, realizing such complex functions quickly and efficiently as necessary to achieve the functional requirements of an application. Much effort has gone into achieving good cryptographic combining efficiently, but it would be good for additional progress to be made in this regard.
- Secret values processed in conventional cryptographic methods are vulnerable to recovery by an adversary by exploiting information leaked via side channels, such as the instantaneous power consumption of a method as the secret value is being processed. One example of side channel leakage is differential power analysis (DPA). DPA involves measurement of a cryptographic system's computer processor's power usage and employment of statistical analysis to convert raw power signals back into the values being processed. Conventional cryptographic methods process secret key data and input information data generally by, e.g., but not limited to, 8-bit bytes (sometimes 16-bit di-bytes, and seldom beyond 32-bit quad-bytes) within a given algorithmic step. By this we mean for instance that if the secret key data is 128 bits (16 bytes) and the input information data is 128 bits, then within a single algorithmic step the two groups of 16-byte quantities may be combined by combining
byte 1 of the key andbyte 1 of the information,byte 2 of the key andbyte 2 of the information, etc. Cryptographic processing methods implement such algorithms by combining these byte pairs across one or more clock cycles of the processor and storing intermediate values in processor registers awaiting another round of combination. The power consumption during these writes to registers are a prime source of information leakage. Conventional solutions have attempted to mask such power usage through various mitigation algorithms. Some conventional solutions remain vulnerable to such attacks. - Conventional security applications generally employ an integrated circuit (IC) on which may be embedded a secret value, or may employ a random number generator to derive one or more secret values. These secret values, whose bit lengths can range in size from roughly 64 to 2048 bits, and more, are used in cryptographic processes to realize security services such as, e.g., but not limited to, proof of identity, authentication, or data encryption. In many applications it is vital that these secret values never be exposed off of the device. Various signals conventionally emanate from the IC-based device as the device carries out cryptographic operations, whereby the signals may leak information about those secret values. In some instances, the signals can provide sufficient information to enable derivation of the core secret value(s), e.g. cryptographic keying material, used in the cryptographic process. Such so-called “side channel” signals can thus sometimes be employed to extract the core secrets from the device compromising the security service afforded by the device. DPA is a well-known, proven and powerful technique for an adversary to extract such device secrets from the device power consumption side channel.
- Instantaneous power consumption of a device, referred to as a side-channel, leaks information about the values being processed by the device primarily when such values are written to, or read from, the device's registers. These register reads and writes take place at regular processor clock cycles of the device. Thus whenever the secret values are used in logic operations, and inputs or outputs of these logic operations are written to, or read from, the registers, information about the values being written, or read, is leaked by the device power consumption at that cycle.
- An improved system and method for avoiding side channel attacks that overcomes shortcomings of conventional mitigation techniques is highly desirable.
- Various exemplary embodiments of a system, and method for providing high speed combining of large bit-length inputs are set forth in detail herein.
- According to an exemplary embodiment, an apparatus, system, and method, may minimize side channel leakage. An exemplary system or method discloses an efficient technique for realizing cryptographic combining operations that minimize side channel signal leakage. According to an exemplary embodiment, an exemplary system or method may simultaneously mix an entire key with, e.g., but not limited to, additional deterministic but changing data in a single clock cycle, to create a continually changing effective encryption key so as to avoid providing multiple looks at the effective key conventionally employed for encryption, a shortcoming of conventional solutions.
- According to an exemplary embodiment, a system or method may include a cryptographic combining operation, according to an exemplary embodiment, accomplished by use of a modern electronic processor with dedicated computational circuits in hardware such as, e.g., but not limited to, programmable logic devices (PLDs), which according to an exemplary embodiment may include, e.g., but not limited to, field programmable gate arrays (FPGAs), or application specific integrated circuits (ASICs), etc., which may be ideal for realizing any sort of combining function.
- An exemplary embodiment of the present invention, may include an exemplary hardware based mitigation technique. According to one exemplary embodiment, an exemplary apparatus, system, or method may be provided that may perform an exemplary method for realizing cryptographic combining operations in a manner that may minimize side channel power information loss. An exemplary embodiment of the claimed method may minimize side channel leakage by performing all of the combining operations of the exemplary method on a large component of, or a substantial portion of, the input value, even all of the input value, according to an exemplary embodiment, and the combined result may be stored to a register, advantageously, within an exemplary single processor clock cycle, according to an exemplary embodiment.
- According to an exemplary embodiment of the claimed invention, an apparatus, system and/or method may include, e.g., but not limited to, receiving, by at least one cryptographic combiner device, at least one large bit length input value; and transforming, by the at least one cryptographic combiner device, the at least one large bit length input value into at least one output value, wherein the transforming may include transforming, by the at least one cryptographic combiner device, the at least one large bit length input value into the at least one output value within a single clock cycle.
- According to an exemplary embodiment, the method may include where the at least one cryptographic combiner device may include at least a portion of: at least one programmable logic device (PLD).
- According to an exemplary embodiment, the method may include where the at least one PLD may include at least one of: at least one field programmable gate array (FPGA); at least one application specific integrated circuit (ASIC); at least one programmable logic array (PLA); at least one programmable read only memory (PROM); at least one erasable programmable read only memory (EPROM); at least one electrically erasable programmable read only memory (EEPROM); at least one programmable array logic (PAL); at least one generic array logic (GAL); at least one programmable electrically erasable logic (PEEL); at least one semiconductor intellectual property core (IP core); or at least one complex programmable logic device (CPLD).
- According to an exemplary embodiment, the method may include where the transforming is performed on an entirety of the large bit length input value.
- According to an exemplary embodiment, the method may include where the cryptographic combiner device may include: at least one bank of at least one look-up-table (LUT), each the at least one LUT receiving as input a plurality of single bit input values, and providing as output at least one output bit, wherein when the cryptographic combiner device may include a plurality of banks of the at least one LUT, the at least one output bit from a first of the plurality of banks is wired to feed into the input of the at least one LUT of a second of the plurality of banks, and wherein a total number of banks of the at least one LUTs is any number so long as the large bit length input reaches an output of the last bank of the plurality of banks, to produce the at least one output value, within a single clock cycle.
- According to an exemplary embodiment, the method may include where the performing may include: performing the transforming on the plurality of banks of the at least one look-up-table (LUT), wherein the at least one LUT may include at least one of: a small LUT; a programmable LUT; or an n-bit input to x-bit output LUT.
- According to an exemplary embodiment, the method may include where the at least one LUT may include an n-bit input to x-bit output LUT, and wherein the n-bit input LUT may include an at least six (6)-bit input LUT, and the x-bit output LUT may include an at least one (1)-bit output LUT.
- According to an exemplary embodiment, the method may include where the at least one LUT may include an n-bit input to x-bit output LUT, and, wherein the plurality of banks may include a plurality m banks, where m is greater than 1, and wherein each of the m banks may include a plurality Tj LUTs of the at least one LUT for each bank j=1, 2, . . . , m, wherein for each of the plurality m banks of the plurality Tj LUTs accepts a product Tj*n input bits and produces as output a product Tj*x output bits for each bank j=1, 2, . . . , m.
- According to an exemplary embodiment, the method may include where each of the m banks is adapted to operate in parallel and with sufficient efficiency may include at least one of: that computing the at least one output value, processing to obtain the at least one output value, or feeding through all the m banks to obtain the at least one output value within the single clock cycle.
- According to an exemplary embodiment, the method may include where the at least one LUT may include the n-bit input to x-bit output LUT, wherein 1<=j<m, and wherein at least one output from a given bank j, is coupled to at least one of T(j+1)*n inputs to next bank j+1.
- According to an exemplary embodiment, the method may include where the coupling may include programmably wiring the at least one output from the given bank j to feed to the at least one of the T(j+1)*n inputs of the next bank j+1.
- According to an exemplary embodiment, the method may include where the at least one LUT may include the n-bit input to x-bit output LUT, and wherein signals propagate through all the m plurality banks within the single clock cycle.
- According to an exemplary embodiment, the method may include where the coupling may include at least one inter-bank coupling.
- According to an exemplary embodiment, the method may further include altering the at least one interbank coupling or at least one parameter of the at least one LUT to achieve a plurality of cryptographic functions.
- According to an exemplary embodiment, the method may further include at least one of: wherein the altering may include programmably altering the at least one interbank coupling or the at least one parameter of the at least one LUT; wherein the at least one interbank coupling may include at least one changeable coupling; wherein the altering may include dynamically altering the at least one interbank coupling or the at least one parameter of the at least one LUT; wherein the altering may include altering dynamically during use; or wherein the altering may include altering dynamically over time, during use.
- According to an exemplary embodiment, the method may include where transforming may include: combining at least one fixed secret value with at least one time varying input value may include transforming the at least one fixed secret value into at least one second time varying secret value.
- According to an exemplary embodiment, the method may include where the transforming may include: using the at least one second time varying secret value in at least one subsequent cryptographic processing wherein a secret value is required.
- According to an exemplary embodiment, the method may include where the cryptographic combiner device may include: the portion of the at least one PLD, wherein the receiving the large bit length input value and the transforming the large bit length input value into the output value on the PLD may include: performing a full transformation on an entire input within the single PLD clock cycle by using at least one programmable LUT in fabric of the PLD.
- According to an exemplary embodiment, the method may include where the input value constitutes at least one fixed secret value and at least one time varying quantity so as to obscure the at least one fixed secret value and minimizing side channel information leakage about the at least one fixed secret.
- According to an exemplary embodiment, the method may include where the input value constitutes at least one secret and at least one time varying quantity, wherein when combined obscures the at least one secret, and minimizes side channel information leakage as could be used to detect the at least one secret.
- According to an exemplary embodiment, the method may include where the PLD may include at least one of: at least one application specific integrated circuit (ASIC); at least one programmable logic array (PLA); at least one programmable array logic (PAL); at least one programmable read only memory (PROM); at least one erasable programmable read only memory (EPROM); at least one electrically erasable programmable read only memory (EEPROM); at least one generic array logic (GAL); at least one programmable electrically erasable logic (PEEL); at least one semiconductor intellectual property core (IP core); at least one intellectual property core (IP core); at least one photonic processor; or at least one complex programmable logic device (CPLD).
- According to an exemplary embodiment, the method may include where the time varying secret value is used as a key for at least one of: an encryption function, or a keyed message authentication code (MAC) function.
- According to an exemplary embodiment, the method may include where the time varying secret value may include the key to the advanced encryption standard (AES).
- According to an exemplary embodiment, the method may include where the time varying secret value is used as a pseudo-random bit stream for a cryptographic application.
- According to an exemplary embodiment, the method may include where the time varying secret value is used as the pseudo-random bit stream for the cryptographic application, to perform an XOR operation over an input data stream as a stream cipher.
- According to another exemplary embodiment, an exemplary system may include, e.g., but not limited to, a cryptographic device may include: at least one cryptographic combiner adapted to receive at least one large bit length input value; and wherein the at least one cryptographic combiner is adapted to transform the at least one large bit length input value into at least one output value, and wherein the at least one cryptographic combiner is adapted to transform the at least one large bit length input value into the at least one output value within a single clock cycle.
- According to an exemplary embodiment, the exemplary system may include where the cryptographic device further may include: at least one key cryptographic function may include at least one input coupled to at least one output of the at least one cryptographic combiner.
- According to an exemplary embodiment, the exemplary system may include where the at least one key cryptographic function may include an advanced encryption standard (AES) key cryptographic function.
- According to an exemplary embodiment, the exemplary system may include where the at least one large bit length input value may include at least one output of at least one processor.
- According to an exemplary embodiment, the exemplary system may include where the at least one cryptographic combiner may include at least a portion of: at least one programmable logic device (PLD).
- According to an exemplary embodiment, the exemplary system may include where the at least one PLD may include at least one of: at least one field programmable gate array (FPGA); at least one application specific integrated circuit (ASIC); at least one programmable logic array (PLA); at least one programmable read only memory (PROM); at least one erasable programmable read only memory (EPROM); at least one electrically erasable programmable read only memory (EEPROM); at least one programmable array logic (PAL); at least one generic array logic (GAL); at least one programmable electrically erasable logic (PEEL); at least one semiconductor intellectual property core (IP core); or at least one complex programmable logic device (CPLD).
- The foregoing and other features and advantages of the invention will be apparent from the following, more particular description of an embodiment of the invention, as illustrated in the accompanying drawings wherein like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements. The left most digits in the corresponding reference number indicate the drawing in which an element first appears.
-
FIG. 1 depicts an exemplary view of an exemplary application of the present invention for exemplary purpose of mitigating side-channel information leakage on an exemplary key cryptographic function using an exemplary cryptographic combiner, according to an exemplary embodiment; -
FIG. 2 depicts an exemplary embodiment of an exemplary cryptographic combiner operation or mix function, according to an exemplary embodiment; and -
FIG. 3 depicts an exemplary embodiment of an exemplary cryptographic combiner or mix function, according to an exemplary embodiment. - Various exemplary embodiments of the invention are discussed in detail below. While specific exemplary embodiments are discussed, it should be understood that this is done for illustration purposes only. Exemplary means example for purposes of this application, and various embodiments need not include all features as described herein. A person skilled in the relevant art will recognize that other components and configurations can be used without parting from the spirit and scope of the invention.
- According to an exemplary embodiment, an improved hardware based mitigation technique may be provided that seeks to minimize a time window to a single clock cycle during which a massive number of secret data bits may be combined with other input data.
- According to an exemplary embodiment of the invention, it is recognized by the applicant that conventional use of granularity of operations (e.g., 8, 16, or 32-bits, etc.) across one or more processor clock cycles and storage of intermediate values in registers may result in information leakage via power consumption as these operations take place.
- Conventional register reads and writes incorporate small components of the secret value, such as, e.g. bits, bytes or words of the secret value, this power leakage information may be combined with statistical and cryptographic analysis, and often the entire secret value may be recovered. For side channel attacks to be successful in capturing a secret value, it is critical that the device repeatedly conduct operations with individual components of the sought after secret value in separate and distinct processes and write results of such processing to intermediate holding registers in order to enable the attacker to isolate components of the secret and gather sufficient data for statistical analysis.
- Much effort has gone into designing conventional attempts to minimize side channel information leakage. Given the effectiveness of DPA, most conventional work addresses information leaked by the instantaneous power consumption. These conventional mitigation efforts have generally taken one of two different approaches, classified roughly as hardware or software.
- The present invention adds to cryptographic combining by providing a very high speed method to realize thorough combining of large bit-length input quantities, according to an exemplary embodiment. In an exemplary embodiment, processing of the entire large bit-length input quantity via a cryptographic combining operation may occur within a single clock cycle, so as to minimize or eliminate conventional exposure of secret information by conventional sub-portion processing.
-
FIG. 1 depicts an exemplary diagram 100 of an exemplary embodiment of anexemplary cryptographic device 108, which may be coupled to aprocessor 102, and may receive fromprocessor 102, an exemplary input one 104, an exemplary input two 110, and/or anyadditional inputs K 112, as well as exemplary data (D) 106, according to an exemplary embodiment. - As illustrated, according to an exemplary embodiment, input one 104 may be provided from
processor 102 to acryptographic combiner 114 of thecryptographic device 108. - According to an exemplary embodiment,
data D 106 may be provided to akey cryptographic function 120, as illustrated. - According to an exemplary embodiment,
exemplary cryptographic device 108 may include, in an exemplary embodiment, input two 110, and/or up to an input k 112 (where k is a finite integer number), which may be coupled to an exemplarycryptographic combiner function 114. According to one exemplary embodiment,cryptographic combiner 114 may receive as inputs, values of input one 104, input two 110, and/or up toinput k 112. According to an exemplary embodiment,cryptographic combiner 114 may combineinputs output 116, to an exemplary keycryptographic function 120, according to an exemplary embodiment. - Exemplary
cryptographic combiner 114, according to an exemplary embodiment may receive various inputs, such as, e.g., but not limited to, up toinput k 112, input two 110, and/or input one 104, and may combine and/or mix all inputs in one clock cycle to provideoutput 116 ofcryptographic combiner 114 to provide as input in turn to an exemplary keycryptographic function 120, according to an exemplary embodiment.Key cryptographic function 120, may also receive as exemplary input, as illustrated in the exemplary embodiment,data D 106. Thekey cryptographic function 120 may then encryptdata 106 using an exemplary cryptographic function, such as, e.g., but not be limited to, an exemplary advanced encryption standard (AES) encryption key function using, e.g., but not limited to, an exemplary multiple-bit key such as, e.g., but not limited to, an exemplary 256 bit key, etc., according to an exemplary embodiment. Exemplarykey cryptographic function 120 may alternatively include any other well known cryptographic function, including, e.g., but not limited to, an exemplary data encryption standard (DES) function, and/or an exemplary Triple DES (3DES) function (which may include, e.g., but not limited to, an exemplary key bundle of three exemplary keys), and/or an exemplary blowfish function (e.g., but not limited to, a keyed symmetric block cipher), and/or an exemplary keyed cryptographic hash function, and/or an exemplary keyed message authentication code (MAC) function, and/or algorithm, and/or an exemplary but not limiting stream cipher, etc., according to an exemplary embodiment.Key cryptographic function 120 may encrypt using an exemplary AES-standardcompliant encryption function 120 the receiveddata D 106 and the encrypted data may be written as illustrated to an exemplary register and/ormemory 122, according to an exemplary embodiment. -
FIG. 2 depicts an exemplary diagram 200 of at least a portion of anexemplary cryptographic device 108, which may include an exemplarycryptographic combiner 114. According to an exemplary embodiment, the exemplarycryptographic combiner 114 may combine input one 104, with input two 110 and/or up toinput k 112, to produce output 116 (not labeled) to feed intokey cryptographic function 120. Thiscryptographic combiner device 114, may include, as illustrated, in an exemplary embodiment, an exemplary (n*T)-bit input device, wherein n may include, e.g., but may not be limited to, 2, 3, 4, 5, 6, 7, 8, or more, etc., including, e.g., but not limited to, a plurality of look up tables (LUTs) 202 a-202 l, wherein each LUT may have n inputs, and the device may have m banks of Ti LUTs each, with exemplary T1 LUTs inbank 1, exemplary T2 LUTs inbank 2, and exemplary up to Tm LUTs in bank m, where according to an exemplary embodiment, the sum T1+T2+ . . . +Tm LUTs may be designed or adapted to complete processing of exemplary program logic such as, e.g., but not limited to, combining any combination ofinputs k 112, and/or other additional program logic such as, e.g., but not limited to,key cryptographic function 120, and may perform the program logic, advantageously, in oneclock cycle 206, as illustrated, according to one exemplary embodiment. For example, onebank BK 1, may includeLUT 1 202 a,LUT 2 202 b,LUT 3 202 c, and/or any others up untilLUT T1 202 d, wherein eachLUT bank 2 BK2, may includeLUT 1 202 e,LUT 2 202 f,LUT 3 202 g, and/or any others up untilLUT T2 202 h, also having outputs O1-OT2, respectively. Finally, also similarly, bank m BK m, may include LUTs,LUT 1 202 i,LUT 2 202 j,LUT 3 202 k, and/or any others up until LUT Tm 202 l, wherein eachLUT 202 i-202 l may have an exemplary output O1-OTm, respectively. In an exemplary embodiment, the total number of LUTs 202 a-202 l in exemplary bank j may be represented by a number Tj, for j=1, 2, . . . , m. Thus, in one exemplary embodiment, there may be a different number of LUTs per bank, and in another exemplary embodiment, there may be a fixed number of LUTs per bank, according to various exemplary but nonlimiting embodiments. As shown, various interbank wiring as illustrated byinterbank wiring 204 may couple any of the LUTs 202 a-202 l (collectively 202) to one another to perform logical operations in the programmable logic device (PLD). The output ofcryptographic combiner 114 may then be provided as input to exemplary key cryptographic function 120 (which may include a register to which the combined value may be written, according to an exemplary embodiment), and/or may be written to a separate register and/ormemory 122 as illustrated, according to an exemplary embodiment. - To decrypt from a given encrypted data from, e.g., register/
memory 122, one may use thekey cryptographic function 120, input one 104, input two 110, and/or other inputs up to inputK 112, and combine theinputs value 116 in thekey cryptographic function 120, operating in decrypt mode, to obtaindata 106 from the givenencrypted data 122. Decryption may include use of one or more exclusive OR (XOR) functions to obtain thedata 106 that originally was encrypted by thecryptographic device 108. - According to one exemplary embodiment, the cryptographic combiner or
mix function 114 and/orkey cryptographic function 120, may be created using an exemplary programmable logic device (PLD) such as, e.g., but not limited to, a programmable array logic (PAL) device, a complex programmable logic device (CPLD), a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), a photonic processor, and/or an intellectual property core (IP core), etc., in various exemplary embodiments. - Programmable Logic Devices (PLDs) may include, among other devices:
- 1. Programmable Array Logic (PAL), these not used as much anymore;
2. Complex Programmable Logic Device (CPLD), functionally between a PAL and an FPGA;
3. Field programmable gate array (FPGA), a next step up from CPLD;
4. Application Specific Integrated Circuits (ASIC), lower cost/per part compared to FPGA when large volume needed (>10K units), also lower power than FPGA;
5. Photonics Processors, state-of-the-art optical switching devices; and/or
6. Intellectual Property Core (IP core), typically IP cores may be used as a logic block within, or as part of an ASIC and/or FPGA. - By varying the values of parameters of the LUT(s) and/or the inter-bank connection(s), one can realize numerous different exemplary embodiments of combining functions and/or devices. According to an exemplary embodiment the ability to alter values and/or parameters of the LUTs and/or the inter-bank wiring, offer tremendous flexibility in realizable combiners but depending on need, say for example cryptographic irreversibility, some choices may be better than others.
-
FIG. 3 depicts diagram 300 illustrating an exemplarycryptographic combiner 114 of anexemplary cryptographic device 108 coupled to one and/ormore inputs OT 304 tokey cryptographic function 120 and/or register/memory 122, according to an exemplary embodiment. According to an exemplary embodiment, any of theLUTs FIG. 2 , according to an exemplary embodiment. According to an exemplary embodiment,key cryptographic function 120 may also be implemented using the same programmable logic device as used to implement thecryptographic combiner 114. According to an exemplary embodiment, the cryptographic combiner and/orkey cryptographic function 120 may perform its or their logical processing within an exemplary single clock cycle, according to an exemplary embodiment. - An exemplary digital system may comprise an exemplary processor device which may execute one or more applications that may reside in off-processor non-volatile memory or storage or that may use off-processor volatile memory for storing application code and/or data. Such application code and/or data may have high intrinsic value and may require encryption before storage in the exemplary off-device volatile and/or non-volatile memory to prevent piracy, Intellectual Property (IP) theft and/or reverse engineering, according to an exemplary embodiment. Such encryption can be realized by an exemplary, but nonlimiting encryption algorithm, which may be implemented within, e.g., but not limited to, device fabric, etc. If the encrypted data has sufficiently high value, then the use of a fixed key for the encryption algorithm provides inadequate protection, as the fixed key is subject to discovery via side-channel and/or other cryptanalytic methods. The exemplary
cryptographic combiner 114, according to an exemplary embodiment of the present invention may provide an additional line of defense and may enable one to address such side-channel or other cryptanalytic threats. An exemplary fixed secret value, such as anexemplary input 104 may be continuously modified, according to an exemplary embodiment, by combining with other exemplary input parameters such asother inputs key output 116 of thecryptographic combiner 114, according to exemplary embodiment of the present invention. An exemplary embodiment may present a fluid, changing, target to an attacker and may significantly increase the difficulty of applying existing, conventional cryptanalytic techniques to detect the exemplary secret value. According to the exemplary embodiment, illustrated inFIG. 2 , mixing and/or combining the exemplary entire fixed secret with exemplary time varying quantities within a single clock cycle prevents the attacker from gaining useful information about pieces of the fixed secret, a necessary requirement of side-channel attacks. Since the exemplary data encryptionkey output 116, of thecryptographic combiner 114, according to an exemplary embodiment is continuously time varying, any side-channel attacks applied to the key cryptographicfunction encryption algorithm 120 to attempt to recover theencryption key 116, are stymied. - The exemplary
cryptographic combiner 114, according to an exemplary embodiment of the present invention, is extremely flexible. Exemplary look-up-tables (LUTs) 202, according to an exemplary embodiment, are each individually programmable. Also, theinter-LUT wiring 204 may also be individually programmable at the designer's discretion. These two parameters, the LUTs 202, andinter-LUT wiring 204 enable many and varied functions to be realized, transforming the variousexemplary inputs exemplary output 116 of the exemplarycryptographic combiner 114, according to an exemplary embodiment. Certain exemplary embodiments of thecryptographic device 108, may be hard to cryptographically reverse, that is, e.g., but not limited to, if one were to see theexemplary output 116 of thecryptographic combiner function 114 and only certain of the inputs, such as, e.g., but not limited to, 112 and 110, then one could not easily determine the remaininginput 104, for example, according to an exemplary embodiment of the invention. Additionally, in certain exemplary embodiments, one could not predict theoutput 116 of exemplarycryptographic combiner 114, without knowing all of the input values 104, 110, and up to 112. In an exemplary communication system, according to an exemplary embodiment, requiring an exemplary stream cipher one may require an exemplary secret pseudo-random bit stream to encrypt an exemplary incoming data stream via, e.g., but not limited to, an exemplary bit-wise exclusive-or (XOR) logic addition operation. This exemplary secret pseudo-random bit stream may be generated, according to an exemplary embodiment, by transforming an exemplary secret key repeatedly in some exemplary time-varying way that may be hard to reverse and such that the time-varying output is hard to predict. In an exemplarycryptographic combiner 114, according to an exemplary embodiment of the present invention,input 104 may be the exemplary secret key shared only between the sender and recipient of the exemplaryencrypted data D 106.Input 110, according to an exemplary embodiment could be an exemplary counter or other publicly know time varying value, according to an exemplary embodiment.Output 116, according to an exemplary embodiment, may be the exemplary secret pseudo-random bit-stream used to XOR over thedata D 106, in an exemplary embodiment. - By varying the values of parameters of the LUTs and/or the inter-bank connections, one can realize numerous different exemplary embodiments of cryptographic combining 114 functions and/or
cryptographic devices 108. According to an exemplary embodiment the ability to alter values and/or parameters of the LUTs and/or the inter-bank wiring, offer tremendous flexibility inrealizable combiners 114, but depending on need, say, for example, for cryptographic irreversibility, or other criterion, etc., some choices may be better than others. - References to “one embodiment,” “an embodiment,” “example embodiment,” “various embodiments,” etc., may indicate that the embodiment(s) of the invention so described may include a particular feature, structure, or characteristic, but not every embodiment necessarily includes the particular feature, structure, or characteristic. Further, repeated use of the phrase “in one embodiment,” or “in an exemplary embodiment,” do not necessarily refer to the same embodiment, although they may.
- In the description and claims, the terms “coupled” and “connected,” along with their derivatives, may be used. It should be understood that these terms are not intended as synonyms for each other. Rather, in particular embodiments, “connected” may be used to indicate that two or more elements are in direct physical and/or electrical contact with each other. “Coupled” may mean that two or more elements are in direct physical or electrical contact. However, “coupled” may also mean that two or more elements are not in direct contact with each other, and/or are indirectly connected to one another, but yet still co-operate or interact with each other.
- An algorithm is here, and generally, considered to be a self-consistent sequence of acts or operations leading to a desired result. These include physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers or the like. It should be understood, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities.
- Unless specifically stated otherwise, as apparent from the discussions herein, it is appreciated that throughout the specification discussions utilizing terms such as “processing,” “computing,” “calculating,” “determining,” or the like, refer to the action and/or processes of a system, or a processor, or a programmable logic device (PLD), or a computer or computing system, and/or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing system's registers and/or memories into other data similarly represented as physical quantities within the system's memories, registers or other such information storage, transmission, input, output, or display devices.
- In a similar manner, the term “processor” may refer to any device or portion of a device, or logic device, that processes electronic data, and/or data from registers and/or memory to transform that electronic data into other electronic data that may be stored in registers and/or memory. A “platform” may comprise one or more processors.
- Embodiments of the present invention may include apparatuses or systems for performing the logical operations herein. An apparatus may be specially constructed for the desired purposes, or it may comprise a general purpose device selectively activated or reconfigured by a program stored in the device.
- In one embodiment, the invention may be implemented primarily in hardware using, for example, but not limited to, hardware components such as application specific integrated circuits (ASICs), or one or more state machines, etc. Implementation of the hardware state machine so as to perform the functions described herein will be apparent to persons skilled in the relevant art(s).
- In another exemplary embodiment, the invention may be implemented primarily in firmware.
- While various embodiments of the present invention have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of the present invention should not be limited by any of the above described exemplary embodiments, but should instead be defined only in accordance with the following claims and their equivalents.
Claims (31)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/931,585 US9009495B2 (en) | 2013-06-28 | 2013-06-28 | High speed cryptographic combining system, and method for programmable logic devices |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/931,585 US9009495B2 (en) | 2013-06-28 | 2013-06-28 | High speed cryptographic combining system, and method for programmable logic devices |
Publications (2)
Publication Number | Publication Date |
---|---|
US20150006913A1 true US20150006913A1 (en) | 2015-01-01 |
US9009495B2 US9009495B2 (en) | 2015-04-14 |
Family
ID=52116883
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/931,585 Active 2033-12-14 US9009495B2 (en) | 2013-06-28 | 2013-06-28 | High speed cryptographic combining system, and method for programmable logic devices |
Country Status (1)
Country | Link |
---|---|
US (1) | US9009495B2 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150039910A1 (en) * | 2013-07-31 | 2015-02-05 | Fairchild Semiconductor Corporation | Side channel power attack defense with pseudo random clock operation |
US20150358160A1 (en) * | 2013-01-07 | 2015-12-10 | Michael Kara-Ivanov | Secrets renewability |
US10354065B2 (en) | 2015-10-27 | 2019-07-16 | Infineon Technologies Ag | Method for protecting data and data processing device |
US11924327B2 (en) * | 2019-01-09 | 2024-03-05 | British Telecommunications Public Limited Company | Variable data protection |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5398284A (en) * | 1993-11-05 | 1995-03-14 | United Technologies Automotive, Inc. | Cryptographic encoding process |
US5619575A (en) * | 1994-08-22 | 1997-04-08 | United Technologies Automotive, Inc. | Pseudorandom composition-based cryptographic authentication process |
US20060056623A1 (en) * | 2000-01-31 | 2006-03-16 | Vdg, Inc. | Block encryption method and schemes for data confidentiality and integrity protection |
US20110116625A1 (en) * | 2008-03-05 | 2011-05-19 | Irdeto B.V. | Cryptographic system |
US20110116628A1 (en) * | 1998-02-13 | 2011-05-19 | Tecsec, Inc. | Cryptographic key split binder for use with tagged data elements |
US20130177155A1 (en) * | 2012-10-05 | 2013-07-11 | Comtech Ef Data Corp. | Method and System for Generating Normal Distributed Random Variables Based On Cryptographic Function |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4905176A (en) | 1988-10-28 | 1990-02-27 | International Business Machines Corporation | Random number generator circuit |
US5963104A (en) | 1996-04-15 | 1999-10-05 | Vlsi Technology, Inc. | Standard cell ring oscillator of a non-deterministic randomizer circuit |
JPH10209821A (en) | 1996-12-05 | 1998-08-07 | Texas Instr Inc <Ti> | Random noise generator and generating method |
US7587044B2 (en) | 1998-01-02 | 2009-09-08 | Cryptography Research, Inc. | Differential power analysis method and apparatus |
DE69834431T3 (en) | 1998-01-02 | 2009-09-10 | Cryptography Research Inc., San Francisco | LIQUID RESISTANT CRYPTOGRAPHIC PROCESS AND DEVICE |
DE69938045T2 (en) | 1998-06-03 | 2009-01-15 | Cryptography Research Inc., San Francisco | Use of unpredictable information to minimize the leak of chip cards and other cryptosystems |
US6510518B1 (en) | 1998-06-03 | 2003-01-21 | Cryptography Research, Inc. | Balanced cryptographic computational method and apparatus for leak minimizational in smartcards and other cryptosystems |
IL139935A (en) | 1998-06-03 | 2005-06-19 | Cryptography Res Inc | Des and other cryptographic processes with leak minimization for smartcards and other cryptosystems |
DE69935913T2 (en) | 1998-07-02 | 2008-01-10 | Cryptography Research Inc., San Francisco | LACK RESISTANT UPGRADE OF AN INDEXED CRYPTOGRAPHIC KEY |
JP2003513490A (en) | 1999-10-25 | 2003-04-08 | サイファーマンクス コンサルタンツ リミテッド | Data processing method resistant to data extraction by analyzing unintended side channel signals |
US7318145B1 (en) | 2001-06-01 | 2008-01-08 | Mips Technologies, Inc. | Random slip generator |
US7310706B1 (en) | 2001-06-01 | 2007-12-18 | Mips Technologies, Inc. | Random cache line refill |
US7142670B2 (en) | 2001-08-14 | 2006-11-28 | International Business Machines Corporation | Space-efficient, side-channel attack resistant table lookups |
WO2004034227A2 (en) | 2002-10-11 | 2004-04-22 | Quicksilver Technology, Inc. | Reconfigurable bit-manipulation node |
US7200233B1 (en) | 2002-12-10 | 2007-04-03 | L-3 Communications Corporation | System and method for fast data encryption/decryption using time slot numbering |
JP4248950B2 (en) | 2003-06-24 | 2009-04-02 | 株式会社ルネサステクノロジ | Random number generator |
DE102007007699A1 (en) | 2007-02-09 | 2008-08-14 | IHP GmbH - Innovations for High Performance Microelectronics/Institut für innovative Mikroelektronik | Reduction of page channel information by interacting crypto blocks |
IL187046A0 (en) | 2007-10-30 | 2008-02-09 | Sandisk Il Ltd | Memory randomization for protection against side channel attacks |
US8250378B1 (en) | 2008-02-04 | 2012-08-21 | Crossroads Systems, Inc. | System and method for enabling encryption |
EP2148462A1 (en) | 2008-07-22 | 2010-01-27 | University College Cork | A differential side-channel analysis countermeasure |
FR2941343B1 (en) | 2009-01-20 | 2011-04-08 | Groupe Des Ecoles De Telecommunications Get Ecole Nat Superieure Des Telecommunications Enst | CIRCUIT OF CRYPTOGRAPHY, PROTECTS IN PARTICULAR AGAINST ATTACKS BY OBSERVATION OF LEAKS OF INFORMATION BY THEIR ENCRYPTION. |
-
2013
- 2013-06-28 US US13/931,585 patent/US9009495B2/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5398284A (en) * | 1993-11-05 | 1995-03-14 | United Technologies Automotive, Inc. | Cryptographic encoding process |
US5619575A (en) * | 1994-08-22 | 1997-04-08 | United Technologies Automotive, Inc. | Pseudorandom composition-based cryptographic authentication process |
US20110116628A1 (en) * | 1998-02-13 | 2011-05-19 | Tecsec, Inc. | Cryptographic key split binder for use with tagged data elements |
US20060056623A1 (en) * | 2000-01-31 | 2006-03-16 | Vdg, Inc. | Block encryption method and schemes for data confidentiality and integrity protection |
US20110116625A1 (en) * | 2008-03-05 | 2011-05-19 | Irdeto B.V. | Cryptographic system |
US20130177155A1 (en) * | 2012-10-05 | 2013-07-11 | Comtech Ef Data Corp. | Method and System for Generating Normal Distributed Random Variables Based On Cryptographic Function |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150358160A1 (en) * | 2013-01-07 | 2015-12-10 | Michael Kara-Ivanov | Secrets renewability |
US9407434B2 (en) * | 2013-01-07 | 2016-08-02 | Cisco Technology, Inc. | Secrets renewability |
US20150039910A1 (en) * | 2013-07-31 | 2015-02-05 | Fairchild Semiconductor Corporation | Side channel power attack defense with pseudo random clock operation |
US9401802B2 (en) * | 2013-07-31 | 2016-07-26 | Fairchild Semiconductor Corporation | Side channel power attack defense with pseudo random clock operation |
US10354065B2 (en) | 2015-10-27 | 2019-07-16 | Infineon Technologies Ag | Method for protecting data and data processing device |
US11924327B2 (en) * | 2019-01-09 | 2024-03-05 | British Telecommunications Public Limited Company | Variable data protection |
Also Published As
Publication number | Publication date |
---|---|
US9009495B2 (en) | 2015-04-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11733966B2 (en) | Protection system and method | |
US8983063B1 (en) | Method and system for high throughput blockwise independent encryption/decryption | |
TWI402675B (en) | Low latency block cipher | |
Alanazi et al. | New comparative study between DES, 3DES and AES within nine factors | |
Rajagopalan et al. | Survey and analysis of hardware cryptographic and steganographic systems on FPGA | |
TWI581126B (en) | Computing system and cryptography apparatus thereof and method for cryptography | |
Malik et al. | Development of a layout-level hardware obfuscation tool | |
Mane et al. | High speed area efficient FPGA implementation of AES algorithm | |
US9009495B2 (en) | High speed cryptographic combining system, and method for programmable logic devices | |
US9722778B1 (en) | Security variable scrambling | |
Oukili et al. | High throughput FPGA Implementation of Data Encryption Standard with time variable sub-keys | |
CN108123792B (en) | Power consumption scrambling method of SM4 algorithm circuit | |
Priya et al. | FPGA implementation of efficient AES encryption | |
San et al. | Compact hardware architecture for Hummingbird cryptographic algorithm | |
US20210152329A1 (en) | Combined sbox and inverse sbox cryptography | |
Yewale Minal et al. | Implementation of AES on FPGA | |
Subramanian et al. | Adaptive counter clock gated S-Box transformation based AES algorithm of low power consumption and dissipation in VLSI system design | |
Oukili et al. | FPGA implementation of Data Encryption Standard using time variable permutations | |
CN109190414A (en) | A kind of full homomorphism for multiplier obscures method | |
Bajaj et al. | AES algorithm for encryption | |
Noorbasha et al. | FPGA implementation of cryptographic systems for symmetric encryption. | |
Parvathy et al. | VLSI implementation of Blowfish algorithm for secure image data transmission | |
Jasim et al. | A hyper-chaotic system and adaptive substitution box (S-Box) for image encryption | |
Trivedi et al. | Development of platform using nios ii soft core processor for image encryption and decryption using aes algorithm | |
Hoang et al. | Intra-masking dual-rail memory on LUT implementation for SCA-resistant AES on FPGA |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ENVIETA LLC, MARYLAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DANIEL, ARTHUR MARK;PETRO, JOHN;MILLHOLLON, TIMOTHY MARK;SIGNING DATES FROM 20130625 TO 20130627;REEL/FRAME:030715/0062 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551) Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 8 |